Re: referrer directive expressiveness

On Mon, Feb 10, 2014 at 1:40 PM, Mike West <> wrote:
> Hrm. I can see that. "none-when-insecure" was meant to refer to the
> transport mechanism only, but I agree with you that it's potentially
> confusing.

I think another problem is also that this value basically means a full
Referer header, unless you go from https to http. So in an insecure
context, such HTTP without TLS, you would not use none, but full.

"url-unless-downgrade" might make more sense given that description?

Another nit, just "origin" (rather than "origin-always") and
"unsafe-url" to align with "none". Or "none-always", but shorter seems

> My only concern with "default" is that it might end up meaning
> different things to different browsers (see
> for example). It would be nice to have a name that reflected explicit
> functionality as opposed to implicitly falling back on UA behavior. I don't
> have a good suggestion other than what I've already suggested. I'd
> appreciate suggestions from the group...

When we talked about this at Mozilla Brian at least wanted to be able
to experiment with exposing less than done currently. I haven't really
made up my mind personally as to whether that would make privacy
better, but it does seem like something that the user should have
control over and a browser should be able to have a conservative
policy for.


Received on Monday, 10 February 2014 14:05:49 UTC